1 / 21

Cyber Resilience in Australian Government: ANAO Audit Insights

Explore insights from the 9th Performance Audit Seminar on IT and Information Security audits in the Australian Government context. Learn about cyber resilience strategies, ANAO audit outcomes, and recommendations for improving compliance in cybersecurity.

hcannon
Download Presentation

Cyber Resilience in Australian Government: ANAO Audit Insights

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presentation to the 9th Performance Audit Seminar on IT Audit Information Technology Security AuditAuditing Cyber Resilience in the Australian Government context April 2019 Based on the ANAO Audit Report No.53 2017-18Cyber Resilience

  2. Agenda • The Australian Government context • ANAO audits • Changes • The future

  3. This is a continuing area of interest for Parliament • Recent reports from the press • February 2019 - hackers targeted political parties in attack on Parliament's servers • January 2019 – State Government employee directory accessed by unauthorised party • November 2018 - cyber security breach and extortion attempt on Australia defence contractor

  4. Top 6 cyber intrusion types Source: ACSC Threat Report 2017

  5. Strategies to Mitigate Cyber Security Incidents • Published by Australian Signals Directorate since 2010 • Based on lessons learned from their visibility of cyber security incidents, vulnerabilities and adversary techniques • Regularly updated to address evolving landscape • Per ASD, correct implementation of the current version would have effectively prevented, or minimised the extent of, compromise to the victim network in every case they have investigated over the past few years

  6. Australian Government Cyber Security Framework • Regulatory framework in Commonwealth government –Protective Security Policy Framework • Detailed standards, guidelines and mandatory cyber security requirements based on ASD Strategies • Self-assessment reporting process

  7. ANAO Audits • The ANAO has issued four reports onAustralian Government entities’ compliance with the ISM and their overall cyber resilience • No.50 2013-14 Cyber Attacks: Securing Agencies’ ICT Systems • No.37 2015-16 Cyber Resilience • No.42 2016-17 Cybersecurity Follow-up Audit • No.53 2017-18 Cyber Resilience • Copies of these reports are available from the ANAO website: www.anao.gov.au

  8. ANAO Audits - approach • Audit approach – “Compliance Plus” • Audit criteria and assessment standard • Government mandatory cyber security requirements • Foundation ICT control framework (ITGC) • A wide coverage of government entities • Detailed examination of cybersecurity measures at various technical levels

  9. ANAO Audits - outcomes • 2014: 0/7 entities compliant • 2016: 2/4 entities compliant • 2017: 1/3 entities compliant • 2018: 1/3 entities compliant

  10. ANAO Audits - outcomes Cyber Resilient Externally Resilient Embedded inbusiness process Controls in place Compliance with the Top Four mitigation strategies Activelyimplementing Controls notin place Vulnerable Internally Resilient IT General Controls not met IT General Controls met Maturity in Logical Access & Change Management

  11. Entity self-assessment In 2014 and 2015, cyber security controls had the highest incidents of non-compliance among all PSPF requirements

  12. Entity self-assessment In 2017, cyber security controls continued to have the lowest levels of compliance

  13. ANAO vs entity self-assessment

  14. The Joint Committee of Public Accounts and Audit response to these audits • In March 2015, the Committee recommended that theANAO consider including regular audits, in its schedule of performance audits, of Commonwealth entities’ compliance with the top four mitigation strategies as well as Commonwealth entities’ overall security posture. • In March 2017, the Committee recommended that in future audits on cybersecurity compliance, the ANAO outline the behaviours and practices it would expect in a cyber resilient entity, and assess against these.

  15. Culture - approach • Focus on behaviours and practices that provide an indicator of culture • Identify what compliant entities have in common • Identify related characteristics of less mature entities • Draw on findings from related audits

  16. What compliant entities had in common • Established an ICT governance framework that incorporates cyber security • Have a risk based approach to manage cyber security investment • Clearly defined management roles and responsibilities for cyber security • Obtained the right skillset and expertise for cyber security • Embed cyber security in the entity culture

  17. Culture – key findings • Governance and risk management • Including leadership and accountability • Roles and responsibilities • Including knowledge, skills and abilities • Technical support • Assessment of status

  18. Where to from here? • Recommendation 2 of the 2018 report was to …improve compliance with the framework by: • providing adequate technical guidance to support entities to accurately self-assess compliance with the Top Four mitigation strategies and their underlying controls contained in the Information Security Manual; • developing a program for verifying entities’ reported compliance with the mandatory cyber security requirements; and • increasing transparency and accountability about entities’ compliance with those requirements.

  19. Current status • Update to PSPF published in October 2018, which included additional guidance on implementation of requirements. • Updates to ISM and other guidance material • Additional reporting requirements in relation to self-assessment • Summary report on whole-of-Government security posture based on entity self-assessment to be published in 2020

  20. Some Ongoing Challenges • Increasingly sophisticated cyber attacks • Technology evolution is accelerating business digitisation and connection • Change of legislation and government policy requirement • Citizens and customers’ expectation • Cyber security skill shortage • Achieving compliance

  21. Key Messages • Cyber resilience is a journey • Start from executive commitment • Utilise existing standards and compliance frameworks • Implement proven workable strategies • Cultureis an integral part of cyber resilience – “compliance plus”

More Related